When Spammers Attack? 16
Gothmolly asks: "After reading the recent spate of spam and anti-spam articles here on Slashdot, I decided to beef up the anti-spam security on my own domain. I run my own domain and mail server, running Qmail, along with rblsmptd. Mail that passes this gets hit with Spamassassin
However, one particular spamhaus, Clickformail has particularly nasty servers, they try at least 2 SMTP connects/second, and I suspect that's only limited by my 384k DSL pipe. The impact on my box was non-zero, to say the least. I ended up putting a packet filter on their class C netblock to stop the barrage of log messages and increase in load (from 0.05 normal to 0.15). Has anyone else experienced such determined spammers, and what is the best way around it?"
Tarpitting (Score:3, Insightful)
Not much todo... (Score:3, Interesting)
If linespeed/cpu-load is such a problem that you need to block it on a higher level than application, go for packetfiltering (which you've done). I'd guess the next step would be blocking them at router-level, preferably on the other side of that 384k line... probably impossible as I guess it's an xDSL line from somebody who doesn't provide that kind of service?
You could try hitting their ISPs abuse@, but it usually turns up blank or 'we already know and don't care' reply...
Off topic, but still.. (Score:3, Informative)
Altough it would be nice to slashdot them off the net, off course :)
Re:Off topic, but still.. (Score:3, Informative)
Not that I'm suggesting anything, of course.
And---why not just block incoming TCP connections on port 25 from their subnet, rather than blocking their whole subnet (or is this what oyu did, and you were just vague?) (or does your firewall not support this?)
What's wrong with the packet filter? (Score:3, Insightful)
Don't fool around! Hit 'em hard! (Score:5, Interesting)
Then give a call to the U. S. Secret Service Electronic Crimes Branch [ustreas.gov] or the FBI National Computer Crime Squad [emergency.com] or the National Infrastructure Protection Center [nipc.gov].
Note that each of these organizations has a dollar amount threshold. If the crime doesn't break the threshold (e.g. over $10k or something (I don't know the actual numbers, but I'm sure they can be found here [google.com])), then they won't investigate the crime.
Simplest solution (Score:3, Informative)
iptables -A INPUT -s 204.1.28.0/24 -j DROP
Put it just before the first rule that accepts or logs anything. (I haven't tried it yet - if you're an iptables expert and see a mistake, please post a correction).
Re:Simplest solution (Score:3, Interesting)
.
You want to be able to stop those packets from hitting your 384Kbps xDSL line. Otherwise, you are not only losing processing time dealing with the junk; you are having to give up a fraction of your bandwidth too.
Admittedly, it isn't a large chunk of your bandwidth. Likely around 3/4 - 1.0 %. However, it won't take much to get out of control.
This is where the real problem lies, and; xDSL service providers seldom are willing to route or modify the feeds they send clients. In fact, they frequently don't have the infrastructure for it at all.
Delaying responses (Score:3, Insightful)
smtpd_error_sleep_time = 30
which would take 30 seconds from the wrong/blocked SMTP command until Postfix gives an error message. With this easy measure you can seriously slow down those spam-bursts, especially when they try to send several spam mails within the same SMTP session.
It's only disturbing when you try to debug your SMTP with telnet, but that's ok
Tantalus (Score:5, Informative)
It basicly picks up where spamassassin and RBL stops.... It's kinda fun to watch it in debug mode.... and it's free.
http://www.linuxmailmanager.com/tantalus.html [linuxmailmanager.com]
ChiefArcher
Five Days (Score:2)
Three days later I was still receiving from them, so I tracerouted and complained to the mail server's upstream provider (level3.net abuse). The next day I received another spam from them, but a different mail server. So I tracerouted that and complained to that mail server's upstream provider (bluehornet.com spamcomplaints).
And that's the last I heard from ClickForMail since May 21 this year. So it seems to be possible, if you complain loudly enough, to turn the flow off at its source. If you do have to go to upstreams, make sure to mention (as somebody else has done) that they are effectively performing a DoS on your system.
Chris Beckenbach